Re: security: wted?
On 2/13/25 11:15 PM, Michael D. Setzer II wrote: On 13 Feb 2025 at 20:39, home user via users wrote: [snip] So looks like 0.58 has some added things. rkhunter seems to have the same version as sourceforge site. Thank-you Michael. My information came from "dnf history" and the tools' websites. By the way, I notice that rkhunter was last patched on my workstation in June of 2022. But its webpage show its last update to be March of 2024. Our repository almost a year behind on this? -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
Tim: > > Is there a reason you feel the need to check for rootkits? > > > > I'm under the impression that if you don't install things from outside > > of the repos, and keep SELinux running, there's a so-close-to-zero > > chance of you having a problem that it's not worth worrying about. home user: > Maybe I'm remembering wrong, but I recall over a decade ago being > advised on this list to use 2 tools to watch for malware on this > workstation: chkrootkit and rkhunter. As a general rule, old advice goes stale... ;-) And out-of-date malware detection of any kind is probably pointless. I don't know about on Linux, but running competing malware detection on Windows boxes was always a good way to start a software fight between them. > Also, don't these tools check for more than just rootkits? I haven't looked into it, but the name suggests what their job is. And the Linux approach was always to make a tool to do its job, and another tool to do another job. Most of the time anti-malware running on Linux was to protect Windows machines on the same network. Such as scanning incoming mail before the Windows machines got it. And another general rule was that Linux doesn't really need it if you follow good computing practice of not installing or running (without installing) random software from anywhere. Supposedly our repos have enough eyes looking through them to stop shonky things getting in, although that has happened. As I mentioned before, our email programs aren't so dumb as to go "this attachment is an executable, I'll do what the system normally does with executables," as Windows did. Likewise with web browsers. Those are the two main remote vectors of attack against any PC (mail and websites). If you want to open yourself up to Windows-style attacks, run Samba with no firewall and treating the public internet the same as your LAN like ye olde Windows did (I've no idea if modern Windows is as vulnerable). I saw a friend's old XP PC get done just 13 seconds after connecting to the internet through a USB ADSL modem, several times in a row after lengthy format and re-installs, because he wouldn't listen to me. It was several hours before he finally paid attention. We were watching movies and having a pizza feast while his computer was grinding its gears. I wouldn't have put up with that much timewasting otherwise, but I just about wet myself laughing. But, Fedora doesn't do that. We have a firewall by default, Samba isn't running by default, and public IPs are treated like the plague compared to your LAN. We don't usually have core features that are exposed to the Wild-Wild-West, SSH has to be configured dumbly to do that. We have SELinux that sets rules on servers about what files they're allowed access to (e.g. webservers can't just read any file outside of the serving directory, unless you're dumb enough to follow really stupid guides on the internet telling you to shut it off). And we're mostly behind some kind of router with NAT that gets in the way of remote access, these days. Several years ago when we had fibre internet installed in the house, during part of the install procedure they asked me to plug a computer directly into the fibre network (bypassing their modem/router combo device that normally is between you and them). Other than me being assigned an IP, they were perplexed that they couldn't detect my laptop. Normally they get some kind of response from Windows devices that lets them tell it's there, and can figure out what it is via various fingerprints. My laptop was running Fedora. How is malware going to get onto Linux box? You pretty much have to shoot yourself in the foot with Linux, and few anti-malware products are good at stopping people who do that. There's very little of things just slipping in without your help. There's the obvious route of a miscreant giving someone advice to download and install BADTHING from their website, which might be a website with fake how-to-solve something instructions, or a telephone call from not-your-bank about some fake security problem. But most of that crap is aimed at Windows users. There's the sly remote hack of your system, where bad actors are probing every IP on the planet trying to find something to hack (*). But there's very few things on your system paying attention to outside traffic. Again most of that crap is aimed at Windows users. And that's not just because of the sheer numbers of Windows users, but because it's such an easy target. * Many years ago when I was not on Linux, and using a dial-up modem with a direct connection to my computer, I would notice any time after I posted on public mailing lists there'd be a flurry of failed connection attempts on my IP. Clearly some bad actors watch certain places for currently active connections. But they probably are just scanning every IP on the planet all the time, now. The computing power to do that is available to them. Unplug your PC (and o
Re: security: wted?
On Fri, 2025-02-14 at 14:51 -0700, home user via users wrote: > On 2/14/25 3:49 AM, Patrick O'Callaghan wrote: > > On Thu, 2025-02-13 at 23:32 -0800, Samuel Sieb wrote: > > > Those tools are not going to provide any useful help. > > > > I tend to agree. I've never used either of them and have had no > > consequences as a result. Linux can have security issues of course, but > > my feeling is that they are much more likely to come from phishing or > > from supply-chain attacks, which rootkit detectors aren't going to > > catch. > > > > poc > > Thank-you Samuel and Patrick. > > I'm all for "redeeming" a few minutes each week! > > supply-chain attack? I've not heard of that one before. An example of a supply-chain attack would be the (fortunately failed) attempt at subverting the XZ source code: https://en.wikipedia.org/wiki/XZ_Utils_backdoor which was caught in time by an alert guy from Microsoft of all places. > I'd ask what's next, but I fear I won't like the answer. > And I'm concerned that the answer will "help" the malicious people/groups > that are snooping and harvesting this list for e-mail addresses and names. That's absolutely the wrong attitude. People need to be aware of potential vulnerabilities. Clearly there are sensible conventions about disclosure in order to give developers time to correct errors, but secrecy is the enemy of quality. That's one reason we use free software. poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On 2/14/25 8:49 AM, Tim wrote: Tim: Is there a reason you feel the need to check for rootkits? I'm under the impression that if you don't install things from outside of the repos, and keep SELinux running, there's a so-close-to-zero chance of you having a problem that it's not worth worrying about. home user: Maybe I'm remembering wrong, but I recall over a decade ago being advised on this list to use 2 tools to watch for malware on this workstation: chkrootkit and rkhunter. As a general rule, old advice goes stale... ;-) And out-of-date malware detection of any kind is probably pointless. I don't know about on Linux, but running competing malware detection on Windows boxes was always a good way to start a software fight between them. Actually, I was manually running them, one at a time. Also, don't these tools check for more than just rootkits? I haven't looked into it, but the name suggests what their job is. And the Linux approach was always to make a tool to do its job, and another tool to do another job. I'm not certain. It was the impression I got from the tools' output. Most of the time anti-malware running on Linux was to protect Windows machines on the same network. Such as scanning incoming mail before the Windows machines got it. And another general rule was that Linux doesn't really need it if you follow good computing practice of not installing or running (without installing) random software from anywhere. Supposedly our repos have enough eyes looking through them to stop shonky things getting in, although that has happened. As I mentioned before, our email programs aren't so dumb as to go "this attachment is an executable, I'll do what the system normally does with executables," as Windows did. Likewise with web browsers. Those are the two main remote vectors of attack against any PC (mail and websites). and those are my real concerns. I use Firefox. There's that little shield icon just to the left of the address bar. I'm amazed (and concerned) at how many web sites that shield "says" are trying to track, cross-site track, and fingerprint. ...and how many sites refuse to function unless I disable Firefox's blocking. ...even charities and government sites. Messages in Thunderbird can be surprisingly tricky and subtle, too. I dare not say more about that. If you want to open yourself up to Windows-style attacks, run Samba with no firewall and treating the public internet the same as your LAN like ye olde Windows did (I've no idea if modern Windows is as vulnerable). I saw a friend's old XP PC get done just 13 seconds after connecting to the internet through a USB ADSL modem, several times in a row after lengthy format and re-installs, because he wouldn't listen to me. It was several hours before he finally paid attention. We were watching movies and having a pizza feast while his computer was grinding its gears. I wouldn't have put up with that much timewasting otherwise, but I just about wet myself laughing. But, Fedora doesn't do that. We have a firewall by default, Samba isn't running by default, and public IPs are treated like the plague compared to your LAN. We don't usually have core features that are exposed to the Wild-Wild-West, SSH has to be configured dumbly to do that. We have SELinux that sets rules on servers about what files they're allowed access to (e.g. webservers can't just read any file outside of the serving directory, unless you're dumb enough to follow really stupid guides on the internet telling you to shut it off). And we're mostly behind some kind of router with NAT that gets in the way of remote access, these days. Several years ago when we had fibre internet installed in the house, during part of the install procedure they asked me to plug a computer directly into the fibre network (bypassing their modem/router combo device that normally is between you and them). Other than me being assigned an IP, they were perplexed that they couldn't detect my laptop. Normally they get some kind of response from Windows devices that lets them tell it's there, and can figure out what it is via various fingerprints. My laptop was running Fedora. How is malware going to get onto Linux box? You pretty much have to shoot yourself in the foot with Linux, and few anti-malware products are good at stopping people who do that. There's very little of things just slipping in without your help. There's the obvious route of a miscreant giving someone advice to download and install BADTHING from their website, which might be a website with fake how-to-solve something instructions, or a telephone call from not-your-bank about some fake security problem. But most of that crap is aimed at Windows users. There's the sly remote hack of your system, where bad actors are probing every IP on the planet trying to find something to hack (*). But there's very few things on your system paying attention to outside traffic. Again most of t
Re: security: wted?
On 2/14/25 9:59 AM, Patrick O'Callaghan wrote: On Sat, 2025-02-15 at 02:19 +1030, Tim via users wrote: Having said all that, most people don't serve websites from their own PC any more, few ISPs allow it. I do run a small family webserver on my desktop, but I also have Fail2Ban installed. It registers multiple failed connection attempts every day, mainly from China. My policy is to automatically ban these forever as soon as they occur. poc Thank-you, Patrick. I thought I had fail2ban on this workstation. I just checked. It's one of many things that got wiped out in this workstation's October disaster. I'll have to take another look at the tool and, more likely than not, re-install it. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On 2/14/25 3:49 AM, Patrick O'Callaghan wrote: On Thu, 2025-02-13 at 23:32 -0800, Samuel Sieb wrote: Those tools are not going to provide any useful help. I tend to agree. I've never used either of them and have had no consequences as a result. Linux can have security issues of course, but my feeling is that they are much more likely to come from phishing or from supply-chain attacks, which rootkit detectors aren't going to catch. poc Thank-you Samuel and Patrick. I'm all for "redeeming" a few minutes each week! supply-chain attack? I've not heard of that one before. I'd ask what's next, but I fear I won't like the answer. And I'm concerned that the answer will "help" the malicious people/groups that are snooping and harvesting this list for e-mail addresses and names. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On Thu, 2025-02-13 at 23:32 -0800, Samuel Sieb wrote: > Those tools are not going to provide any useful help. I tend to agree. I've never used either of them and have had no consequences as a result. Linux can have security issues of course, but my feeling is that they are much more likely to come from phishing or from supply-chain attacks, which rootkit detectors aren't going to catch. poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On Sat, 2025-02-15 at 02:19 +1030, Tim via users wrote: > Having said all that, most people don't serve websites from their own > PC any more, few ISPs allow it. I do run a small family webserver on my desktop, but I also have Fail2Ban installed. It registers multiple failed connection attempts every day, mainly from China. My policy is to automatically ban these forever as soon as they occur. poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On Fri, Feb 14, 2025 at 11:50 AM Tim via users wrote: > > > Most of the time anti-malware running on Linux was to protect Windows > machines on the same network. Such as scanning incoming mail before > the Windows machines got it. > Decades ago at work many of us had email on IRIX64 or NextStep and were required to switch to Outlook. Some users had big mbox files. We use clamav check for malware before transferring the mbox files. There were many attachments with Windows malware. My boss was at a high-level meeting that included US military brass. At the end of the meeting the final report was shared via a USB key. My boss had a macbook, but the military had Windows laptops. At the time, Apple was using clamav with custom rules. The macbook detected malware in the form of a copy.exe on the USB key. -- George N. White III -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
